Governance, risk and compliance (GRC) is an important topic for senior stakeholders of all types of organizations. Generally, the topic is considered critical for public companies, large nonprofits and any organization that is under scrutiny by third parties. An effective GRC strategy is also critical for startups as they scale, seek investment and chart a course to maximize their potential of a strategic exit.
Understanding everything that goes into GRC, however, can be daunting for many entrepreneurs. Frankly, it is not a topic that a startup founder wants to devote any amount of time to thinking about. The reality is that you cannot ignore GRC, but you certainly should not let it overwhelm you.
Let’s examine each area of a GRC strategy and its implications for startups.
Governance refers to fiduciary oversight. All large public companies are required to have a board of independent directors who provide this oversight. The primary purpose of this governance structure is to provide comfort to investors that their interests are considered.
Startups, on the other hand, do not have this requirement. And their founders are laser-focused on other areas, such as developing their offering, raising and spending their capital, generating revenue and building a team. They may have the viewpoint of, “I don’t need people who don’t do anything looking over my shoulder.”
Sure, you don’t need a board of directors like Apple or Bank of America do, but please don’t miss the boat on the essence of governance concepts and how they enhance the value of your business. Specifically, if you’re going to attract outside investments from venture capital (VC) firms or other entities, they’re going to want you to have an advisory board that provides some level of oversight. They’re not going to write you a check and say, “Good luck. See you when we have the exit discussion.”
If you don’t have an advisory board, you need to start thinking about it sooner rather than later. And you’ve got to hand-select the members carefully. It shouldn’t only be people from the VC firms that comprise your board. Those individuals may only be focused on one thing: revenue. This is your opportunity to bring together a group of seasoned advisors that you like and trust to supplement the team. Choose wisely, and you will have a team of focused and dedicated advisors.
Don’t create a board for board’s sake. Pick startup advisors who will help you:
- identify the issues you need to address so your company can strategically grow;
- navigate the balance between theory and best practice;
- complement the expertise that is already within reach; and
- understand the ultimate goal of maximizing value.
Don’t be foolish. Take charge and turn governance into an early-stage competitive advantage.
What is your ultimate goal: make an impact that matters, maximize the sale price of your company or go public? Whatever the answer, risk management should be a part of your strategic thinking.
Many startups either become easily overwhelmed, because risks are everywhere, or the risk management process is perceived as a management practice for only the largest enterprises. Please don’t fall into either one of these traps.
Take a simple and practical approach to identifying the true value-killer risks from the very beginning. What are these? Simply stated, they are the fundamental threats to your brand and its value. As a founder, how are you creating value by building and protecting your brand?
Obviously, no company is immune from risk, as you’ve seen in high-profile incidents ranging from the Target data breach to the BP oil spill. Large companies typically survive these incidents because they have gigantic balance sheets, and regulators and legislators are not going to come down too hard on them because they don’t want to put such huge entities out of business.
But the main reason why many of these shocking and highly newsworthy events do not result in the demise of these companies is that, fundamentally, there is still confidence in the brand. As a startup, you are still building your brand and the goodwill that goes with it. Please do not overlook or underestimate the fundamental risks to your business. Doing so can put a small entity out of business very rapidly.
As a founder, you need to simplify business risk. Create a short list of the most critical value-killer risks that can irreparably harm your brand, and work to prevent or mitigate them. Examples of key universal risks include:
- technology and data risk: risks based on the cybersecurity, resiliency and scalability of your technology architecture and platform development;
- talent risk: retention of key team members and attracting and scaling the necessary resources;
- operational risk: any mission-critical business activities, procedures and systems that affect customer experience and cash flow;
- financial risk: effective financial planning, capital management and investment strategies;
- regulatory and compliance risk: the most critical global, federal and local laws and regulations for your current and future business footprint; and
- strategic risk: Mark Twain said it best: “It ain’t what you don’t know that gets you into trouble; it’s what you know for sure that just ain’t so.” So step back and regularly reassess your assumptions — and how they affect your business strategy.
Similarly, you need to identify what I call your desert island list of compliance activities — the most important issues you need to address to stay out of trouble.
There will always be people who say you can’t do that. “What if you collect personally identifiable information, and you have one customer in Brussels and you don’t protect their data properly? Now you’re going to face the wrath of the European Commission, and the VCs are going to run for the hills!”
But you can’t chase compliance with every single regulation, either. You’ve only got so much money and time. This is where compliance ties back to the other two legs of the GRC stool: seasoned governance and value-killer risk management.
Where are your advisors saying you should prioritize your compliance activities, and what are the risks if you don’t comply?
If you don’t think about how to simply and practically curate your compliance requirements, you’re going to be wasting a lot of money that you don’t have. Then, as your revenue grows, your compliance efforts should scale with it.
As a startup founder, think of governance, risk and compliance as a strategic choice that you should make early on in the evolution of your company. In summary:
Governance is an opportunity to form a group of qualified, seasoned and trusted advisors that will help make you successful. Don’t miss this opportunity.
Risk should be a short list of true value killers. Generally speaking, this value-killer list should be under 10 items.
Compliance ensures that you are operating in accordance with the most critical laws and regulations that apply to your current business. Have a view of how your compliance landscape can change because of new requirements or as your business evolves.
Make GRC an asset, not a burden. I promise it will pay off.